Digital Rights Management (DRM – alternatively Information Rights Management [IRM]) and Data Loss Prevention (DLP) are typically thought of as separate problems with different vendors and solutions targeting each. The market may have evolved this way, but that’s not the way it has to be.

The need to place and enforce DRM policies on information (e.g. can I print this? copy it to USB? email it?) must expand to include contextual awareness of the content being protected – the realm of DLP. These are not separate problems an should be integrated, ideally from a single solution.

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Security Thought for Tuesday: DRM and DLP are not Separate Problems

Neil
Perhaps its more accurate to say that DRM as a space has little hope of acquiring any significant market share without DLP as an enabler? Just as we have seen with many encryption projects, DRM also suffers as a relevant countermeasure when it relies upon end-users to apply the protection.

We simply don’t see that many successful DRM deployments out there that rely on an executive to hit the “secure this” button. Without automatic enforcement (applied by content aware DLP) there’s very limited room for any kind of optimism that enterprise DRM will have much relevance.

Kevin, let’s try the question the other way. Do you believe that DLP without DRM as a capability makes sense longer term?

It’s one thing to block me from using a USB key. Brute force DLP. A step better is to say “well, Neil can use the USB key to copy non-sensitive data” – e.g using content-aware DLP. A step better than this is being able to say “Neil can use the USB key to store sensitive data if the USB key is a specific type that uses built-in hardware encryption”. But that may not provide enough flexibility and we’ve crossed a fuzzy line into DRM. Taking this further why not a policy that that says, “Neil can use the USB key to carry sensitive data on any USB key, but only if he encrypts and tags the data with policy that is enforceable at the destination.” In other words, DRM/IRM policy.

I don’t see the clear line between policy-based encryption of information using DLP and what traditionally is thought of as DRM. Seems like its just degrees of granularity with encryption of the content as one form of control. Control whether or not I can copy, print, cut and paste, etc are just more granular forms of control

I do agree that DRM with context- and content-aware DLP to autoapply policy should be considered a requirement for widespread adoption.

So why not cross that fuzzy line (which I would argue has already been crossed) and combine the two – with DLP being the high order bit.

I agree with the argument but the comments take this to the next level.

(Kevin, here is some business advice)

DLP is a policy, DRM is a control.

The DLP vendors have muddied things up a bit by adding controls to their solutions (because without controls DLP is worthless) but the actual part of the technology that is new is the part that understands documents. The blocking parts (the controls) are not new. So, separating the controls from the policy lets us understand more clearly what DLP really is.

By my definition (which is as good as anyone elses) DLP needs to be “content aware” to be DLP. A lot of products are sold as DLP but have no “content awareness” such as USB port blockers.

My feeling is that DLP solutiuons should shed their default controls and allow control to plug into them. So, DLP will know that a document is “highly confidential” but will not block the user from printing it. It will tell 1. the OS not to allow printing, 2. the Application to “grey out” the printer icon 3. the switch to block “printing traffic” 4. the printer to block the user from printing 5. the personal firewall on the system to block printing and (optionally) 6 the Firewall and 7. IPS to block printer traffic to the internet.

If you think about it – a firewall used to be a clever router, now everything has firewalls built in. Firewalls understand networking, IPSs understand applications, DLP solutions understand documents… they all do blocking at different places on the network. So, tie the controls together and get the “thinking” working separately.

Agree its more elegant to separate policy administration from policy decisions from policy enforcement. One of the challenges is agreeing on a common way to express policy that spans the enforcement points you describe. Vendors like to create silos and we help to perpetuate them by not demanding something different.

So we end up in a situation where we have many security silos that mush together policy administration and enforcement – with DLP being the latest example.

Microsoft’s agreement with RSA is interesting though. It heads the right direction with RSA’s DLP engine being about policy and Microsoft’s platforms being about enforcement.

DLP is about policy with control and DRM is one of the many enforcement mechanisms used to protect data. Here is the problem – DRM requires user identity to enforce policy, but most DLP today uses content to apply policy. Most DLP product on the market today is identity-blind. In order to implement DRM, identity-awareness is needed, that is the reason why DLP and DRM are two separate products.
I agree that DLP need to be content-aware. I will take this further by saying that DLP not just need to be content-aware, but “identity, content, and context aware”. When DLP becomes identity-aware (which is inevitable from my viewpoint), ability to enforce policy using DRM will naturally become part of the product. Long term, I expect DRM functionality to merge into DLP.

First I want to clarify that DRM is usually used when talking about business to consumer technologies, used by sites such as iTunes, Amazon Unbox etc. IRM (or ERM) is about protecting enterprise content, business to business. It’s a very different set of use cases. DRM is about stopping me from making copies of my music that I have purchased, IRM is about protecting my social security number in my health records used by my doctor.

Agreed both technologies have some overlap. I wrote up an article a while back on the differences between the two…

Vendors are also working on bringing these two technologies closer together. I’ve also heard from a lot of customers who have deployed DLP that IRM is the next logical step in the detection and control of sensitive information passing into and out of your enterprise networks.

IRM has suffered from the end user being the source of the decision making, as Kevin Rowney correctly states. IRM has implemented the ability to auto protect storage locations, file repositories, document templates and also protect content as it is exported from applications, but it still remains that a user can create content and choose not to protect it. DLP brings this very useful functionality by detecting the flow of sensitive information that is incorrectly secured, IRM delivers the controls.

Oracle IRM is one IRM technology that in its next release becomes much more open and the ability to pass off the policy controls to DLP easier. IRM then becomes the enforcer and DLP becomes the detector and definer of policy.

What is most important of all is that the end user experience and their workflows are uninterrupted for valid uses. A well designed DLP and IRM implementation will be almost transparent to an end user who is using sensitive information in an authorized manner and when they try to do something not permitted, they are given simple and easy to understand messages.

3. Policy enforcement – This should be (ideally) done by a single desktop agent should enforce both distribution and usage controls and talks to a single network agent

4. Audit trailing – A single system which will report all distribution and usage events.

When I imagine this complete system the management overhead gives me the shudders and intelligent defaults and an “artificial intelligence” system to rummage through all the audit data and look for “events of interest” appears to be a must have.

About

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.